Amendments to the Claims 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims: 



1 1. (Previously Presented) A method of proving membership in a nested group, 

2 wherein a presenter of credentials that requests one or more resources to which 

3 access is so controlled by a recipient of credentials as to make them available to 

4 members of the nested group presents to the recipient of credentials one or more 

5 chains of group credentials that prove the presenter's membership in the nested 

6 group. 

1 2. (Original) The method of claim 1 , wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 3. (Original) The method of claim 2, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 4. (Original) The method of claim 2, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 5. (Original) The method of claim 1 , wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

1 6. (Original) The method of claim 5, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 7. (Original) The method of claim 5, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 
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1 8. (Original) The method of claim 1 , wherein said recipient is a resource server. 

1 9. (Original) The method of claim 1 , wherein said recipient is an on-line group 

2 server. 

1 10. (Original) The method of claim 1, wherein said recipient is an on-line revocation 

2 server. 

1 11. (Original) The method of claim 1 1 wherein said recipient is a client. 

1 12. (Previously Presented) A method of proving non-membership in a nested group, 

2 wherein a presenter of credentials that requests one or more resources to which 

3 access is so controlled by a recipient of credentials as to make them available to 

4 non-members of the nested group presents to the recipient of credentials one or 

5 more chains of group credentials that prove the presenter's non-membership in 

6 the nested group. 

1 13. (Original) The method of claim 12, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 14. (Original) The method of claim 13, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 15. (Original) The method of claim 13, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 16. (Original) The method of claim 12, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 17. (Original) The method of claim 16, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 
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1 18. (Original) The method of claim 16, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 19. (Original) The method of claim 12, wherein said recipient is a resource server. 

1 20. (Original) The method of claim 12, wherein said recipient is an on-line group 

2 server. 

1 21 . (Original) The method of claim 12, wherein said recipient is an on-line revocation 

2 server. 

1 22. (Original) The method of claim 12, wherein said recipient is a client. 

1 23. (Previously Presented) A computer system wherein a presenter of credentials 

2 that requests one or more resources to which access is so controlled by a 

3 recipient of credentials as to make them available to members of a nested group 

4 presents to the recipient of credentials one or more chains of group credentials to 

5 prove the presenter's membership in the nested group. 

1 24. (Original) The system of claim 23, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 25. (Original) The system of claim 24, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 26. (Original) The system of claim 24, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 27. (Original) The system of claim 23, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 
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1 28. (Original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 29. (Original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 30. (Original) The system of claim 23, wherein said recipient is a resource server. 

1 31 . (Original) The system of claim 23, wherein said recipient is an on-line group 

2 server. 

1 32. (Original) The system of claim 23, wherein said recipient is an on-line revocation 

2 server. 

1 33. (Original) The system of claim 23, wherein said recipient is a client. 

1 34. (Previously Presented) A computer system wherein a presenter of credentials 

2 that requests one or more resources to which access is so controlled by a 

3 recipient of credentials as to make them available to non-members of a nested 

4 group presents to the recipient of credentials one or more chains of group 

5 credentials to prove the presenter's non-membership in the nested group. 

1 35. (Original) The system of claim 34, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 36. (Original) The system of claim 35, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 37. (Original) The system of claim 35, wherein said proofs of group membership 

2 comprise one or more group membership lists. 



5 



1 38. (Original) The system of claim 34, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 39. (Original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 40. (Original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 41 . (Original) The system of claim 34, wherein said recipient is a resource server. 

1 42. (Original) The system of claim 34, wherein said recipient is an on-line group 

2 server. 

1 43. (Original) The system of claim 34, wherein said recipient is an on-line revocation 

2 server. 

1 44. (Original) The system of claim 34, wherein said recipient is a client. 

1 45. (Previously Presented) A method of requesting one or more resources from a 

2 server on a computer network, in which access to said resources is so controlled 

3 by said server as to make them available to members of a nested group, the 

4 method comprising: 

5 A. obtaining one or more chains of group credentials that prove membership 

6 in the nested group, and 

7 B. transmitting to the server a request for one or more of the one or more 

8 resources, said request including the one or more chains of group 

9 credentials that prove membership in the nested group. 
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1 46. (Original) The method of claim 45, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 47. (Original) The method of claim 46, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 48. (Original) The method of claim 46, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 49. (Original) The method of claim 45, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 50. (Original) The method of claim 49, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 51 . (Original) The method of claim 49, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 52. (Previously Presented) A method of requesting one or more resources from a 

2 server on a computer network, in which access to said resources is so controlled 

3 by said server as to make them available to non-members of a nested group, the 

4 method comprising: 

5 A. obtaining one or more chains of group credentials that prove non- 

6 membership in the nested group, and 

7 B. transmitting to the server a request for one or more of the one or more 

8 resources, said request including the one or more chains of group 

9 credentials that prove non-membership in the nested group. 

1 53. (Original) The method of claim 52, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 
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1 54. (Original) The method of claim 53 ? wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 55. (Original) The method of claim 53, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 56. (Original) The method of claim 52, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 57. (Original) The method of claim 56, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 58. (Original) The method of claim 56, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 59. (Previously Presented) A client device on a computer network, said client device 

2 configured for requesting one or more resources from a server on the network, in 

3 which access to said resources is so controlled by said server as to make them 

4 available to members of a nested group, said client device comprising: 

5 A. means for obtaining one or more chains of group credentials that prove 

6 client membership in the nested group, and 

7 B. means for transmitting to the server a request for one or more of the 

8 service one or more of the one or more resources, said request including 

9 the one or more chains of group credentials that prove client membership 
10 in the nested group. 

1 60. (Original) The client device of claim 59, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 61 . (Original) The client device of claim 60, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 
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1 62. (Original) The client device of claim 60, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 63. (Original) The client device of claim 59, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 64. (Original) The client device of claim 63, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 

1 65. (Original) The client device of claim 63, wherein said proofs of group 

2 nonmembership comprise one or more group membership lists. 

1 66. (Previously Presented) A client device on a computer network, said client device 

2 configured for requesting one or more resources from a server on the network, in 

3 which access to said resources is so controlled by said server as to make them 

4 available to non-members of a nested group, said client device comprising: 

5 A. means for obtaining one or more chains of group credentials that prove 

6 client non-membership in the nested group, and 

7 B. means for transmitting to the server a request for one or more of the one 

8 or more resources, said request including the one or more chains of group 

9 credentials that prove client non-membership in the nested group. 

1 67. (Original) The client device of claim 66, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 68. (Original) The client device of claim 67, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 69. (Original) The client device of claim 67, wherein said proofs of group membership 

2 comprise one or more group membership lists. 
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1 70. (Original) The client device of claim 66, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 71 . (Original) The client device of claim 70, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 

1 72. (Original) The client device of claim 70, wherein said proofs of group 

2 nonmembership comprise one or more group membership lists. 

1 73. (Previously Presented) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more 

3 resources and provide access thereto to members of a nested group, the method 

4 comprising: 

5 A. receiving a resource-access request from a client, said request including 

6 one or more chains of group credentials proving client membership in the 

7 nested group, 

8 B. validating the one or more chains of group credentials, and 

9 C. if the one or more chains of group credentials are determined to be valid, 
10 providing the requested access to the client. 

1 74. (Original) The method of claim 73, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 75. (Original) The method of claim 74, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 76. (Original) The method of claim 74, wherein said proofs of group membership 

2 comprise one or more group membership lists. 
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1 77. (Original) The method of claim 73, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

f 78. (Original) The method of claim 77, wherein said proofs of group non-membership 
2 comprise one or more group non-membership certificates. 

1 79. (Original) The method of claim 77, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 80. (Previously Amended) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more 

3 resources and provide access thereto to non-members of a nested group, the 

4 method comprising: 

5 A. receiving a resource-access request from the a client, said request 

6 including one or more chains of group credentials proving client non- 

7 membership in the nested group, 

8 B. validating the one or more chains of group credentials, and 

9 C. if the one or more chains of group credentials are determined to be valid, 
10 providing the requested access to the client. 

1 81 . (Original) The method of claim 80, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 82. (Original) The method of claim 81 , wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 83. (Original) The method of claim 81 , wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 84. (Original) The method of claim 80, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 
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1 85. (Original) The method of claim 84, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 86. (Original) The method of claim 84, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 87. (Previously Presented) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more 

3 resources and provide access thereto to members of a nested group, the method 

4 comprising: 

5 A. means for receiving a resource-access request from a client, said request 

6 including one or more chains of group credentials proving client 

7 membership in the nested group, 

8 B. means for validating the one or more chains of group credentials, and 

9 C. means for providing the requested access to the client if the one or more 
10 chains of group credentials are determined to be valid. 

1 88. (Original) The resource server of claim 87, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 89. (Original) The resource server of claim 88, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 90. (Original) The resource server of claim 88, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 91 . (Original) The resource server of claim 87, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 
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1 92. (Original) The resource server of claim 91, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 

1 93. (Original) The resource server of claim 91, wherein said proofs of group 

2 nonmembership comprise one or more group membership lists. 

1 94. (Previously Presented) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more 

3 resources and provide access thereto to non-members of a nested group, the 

4 method comprising: 

5 A. means for receiving a resource-access request from the a client, said 

6 request including one or more chains of group credentials proving client 

7 non-membership in the nested group, 

8 B. means for validating the one or more chains of group credentials, and 

9 C. means for providing the requested access to the client if the one or more 
10 chains of group credentials are determined, to be valid. 

1 95. (Original) The resource server of claim 94, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 96. (Original) The resource server of claim 95, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 97. (Original) The resource server of claim 95, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 98. (Original) The resource server of claim 94, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 99. (Original) The resource server of claim 98, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 
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2 



100. 



(Original) The resource server of claim 98, wherein said proofs of group non- 
membership comprise one or more group membership lists. 



1 101. (Currently Amended) A computer data s i gna l e mbod ie d i n a carr ie r wav e and 

2 program product comprising a computer usable medium having thereon 

3 computer readable program code representing a sequence of instructions that, 

4 when executed by a processor in a network device requesting one or more 

5 resources from a server, in which access to said resources is so controlled by 

6 said server as to make them available to members of a nested group, configures 

7 the network device to operate as a client device that: 

8 A. obtains one or more chains of group credentials that prove client 

9 membership in the nested group, and 

10 B. transmits to the server a request for one or more of the one or more 

11 resources, said request including the one or more chains of group 

12 credentials that prove membership in the nested group. 

1 102. (Currently Amended) The computer data s i gna l program product of claim 101 , 

2 wherein one of said chains of group credentials comprise one or more proofs of 

3 group membership. 

1 1 03. (Currently Amended) The computer data s i gna l program product of claim 1 02, 

2 wherein said proofs of group membership comprise one or more group 

3 membership certificates. 

1 1 04. (Currently Amended) The computer data s i gna l program product of claim 1 02, 

2 wherein said proofs of group membership comprise one or more group 

3 membership lists. 
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1 1 05. (Currently Amended) The computer data s i gna l program product of claim 101, 

2 wherein one of said chains of group credentials comprise one or more proofs of 

3 group non-membership. 

1 1 06. (Currently Amended) The computer data signa l program product of claim 1 05, 

2 wherein said proofs of group non-membership comprise one or more group non- 

3 membership certificates. 

1 1 07. (Currently Amended) The computer data s ignal program product of claim 1 05, 

2 wherein said proofs of group non-membership comprise one or more group 

3 membership lists. 

1 1 08. (Currently Amended) A computer data signa l e mbod ie d i n a carr ie r wav e and 

2 program product comprising a computer usable medium having thereon 

3 computer readable program code representing a sequence of instructions that, 

4 when executed by a processor in a network device requesting one or more 

5 resources from a server, in which access to said resources is so controlled by 

6 said server as to make them available to non-members of a nested group, 

7 configures the network device to operate as a client device that: 

8 A. obtains one or more chains of group credentials that prove client non- 

9 membership in the nested group, and 

10 B. transmits to the server a request for one or more of the one or more 

1 1 resources, said request including the one or more chains of group 

12 credentials that prove non-membership in the nested group. 

1 1 09. (Currently Amended) The computer data s i gna l program product of claim 1 08, 

2 wherein one of said chains of group credentials comprise one or more proofs of 

3 group membership. 
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1 110. (Currently Amended) The computer data si gna l program product of claim 109, 

2 wherein said proofs of group membership comprise one or more group 

3 membership certificates. 

1 111. (Currently Amended) The computer data si gna l program product of claim 109, 

2 wherein said proofs of group membership comprise one or more group 

3 membership lists. 

1 112. (Currently Amended) The computer data s i gnal program product of claim 1 08, 

2 wherein one of said chains of group credentials comprise one or more proofs of 

3 group non-membership. 

1 113. (Currently Amended) The computer data s i gna l program product of claim 112, 

2 wherein said proofs of group non-membership comprise one or more group non- 

3 membership certificates. 

1 114. (Currently Amended) The computer data s i gna l program product of claim 112, 

2 wherein said proofs of group non-membership comprise one or more group 

3 membership lists. 

1 115. (Currently Amended) A computer data s i gna l e mbod ie d i n a carr ie r wav e and 

2 program product comprising a computer usable medium having thereon 

3 computer readable program code representing a sequence of instructions that, 

4 . when executed by a processor in a network device configured to control access 

5 to one or more resources and provide access thereto to members of a nested 

6 group, configures the network device to operate as a resource server that: 

7 A. receives a resource-access request from the a client, said request 

8 including one or more chains of group credentials proving client 

9 membership in the nested group, 

10 B. validates the one or more chains of group credentials, and 
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11 C. if the one or more chains of group credentials are determined to be valid, 

12 provides the requested access to the client. 

1 116. (Currently Amended) The computer data s i gna l program product of claim 115, 

2 wherein one of said chains of group credentials comprise one or more proofs of 

3 group membership. 

1 117. (Currently Amended) The computer d a t a si gna l program product of claim 1 1 6, 

2 wherein said proofs of group membership comprise one or more group 

3 membership certificates. 

1 118. (Currently Amended) The computer data s i gna l program product of claim 1 1 6, 

2 wherein said proofs of group membership comprise one or more group 

3 membership lists. 

1 119. (Currently Amended) The computer data signa l program product of claim 1 1 5, 

2 wherein one of said chains of group credentials comprise one or more proofs of 

3 group non-membership. 

1 120. (Currently Amended) The computer data s i gna l program product of claim 1 1 9, 

2 wherein said proofs of group non-membership comprise one or more group non- 

3 membership certificates. 

1 121. (Currently Amended) The computer data s i gna l program product of claim 119, 

2 wherein said proofs of group non-membership comprise one or more group 

3 membership lists. 

1 1 22. (Currently Amended) A computer data s i gna l e mbod ie d i n a carr ie r wav e and 

2 program product comprising a computer usable medium having thereon 

3 computer readable program code representing a sequence of instructions that, 

4 when executed by a processor in a network device configured to control access 
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5 to one or more resources and provide access thereto to non-members of a 

6 nested group, configures the network device to operate as a resource server 

7 that: 

8 A. receives a resource-access request from the a client, said request 

9 including one or more chains of group credentials proving client non- 
10 membership in the nested group, 

1 1 B. validates the one or more chains of group credentials, and 

12 C. if the one or more chains of group credentials are determined to be valid, 

13 provides the requested access to the client. 

1 123. (Currently Amended) The computer data s i gna l program product of claim 1 22, 

2 wherein one of said chains of group credentials comprise one or more proofs of 

3 group membership. 

1 1 24. (Currently Amended) The computer data signal program product of claim 1 23, 

2 wherein said proofs of group membership comprise one or more group 

3 membership certificates. 

1 125. (Currently Amended) The computer data s i gna l program product of claim 1 23, 

2 wherein said proofs of group membership comprise one or more group 

3 membership lists. 

1 1 26. (Currently Amended) The computer dat a s i gna l program product of claim 1 22, 

2 wherein one of said chains of group credentials comprise one or more proofs of 

3 group non-membership. 

1 1 27. (Currently Amended) The computer data s i gnal program product of claim 1 26, 

2 wherein said proofs of group non-membership comprise one or more group non- 

3 membership certificates. 
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1 128. (Currently Amended) The computer data signa l program product of claim 126, 

2 wherein said proofs of group non-membership comprise one or more group 

3 membership lists. 
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